‘Shadow Brokers’ Threaten to Release More Stolen NSA Cyber Weapons

Illustration of cybercrime (Photo credit should read "HELMUT FOHRINGER/APA-PictureDesk via AFP") Helmut Fohringer / APA-PictureDesk / APA

The “Shadow Brokers,” the group that pilfered and published the stolen National Security Agency hacking tools that turned the WannaCry ransomware virus into a global crisis, are threatening to sell more stolen cyber weapons in June.

AFP describes the latest communique from the Shadow Brokers as a “taunting online message in broken English,” which announced the group would “take payments beginning in June for monthly releases of computer hacks and vulnerability exploits.”

The Shadow Brokers always take pains to sound like cartoon versions of Russian spies in their messages. This particular missive includes Moose and Squirrel verbiage such as, “Is being like wine of month club. Each month peoples can be paying membership fee, then getting members only data dump each month. What members doing with data after is up to members.”

The Shadow Brokers spend much of their latest message taunting a particular adversary, another hacking team linked to the NSA called The Equation Group. The Shadow Brokers insist their goal in stealing and selling these NSA hacking tools was to embarrass The Equation Group. As the hackers put it, quoting an infamous Internet meme based on an old videogame, “All your bases are belong to us.”

“TheShadowBrokers is not being interested in bug bounties, selling to cyber thugs, or giving to greedy corporate empires. TheShadowBrokers is taking pride in picking adversary equal to or better than selves, a worthy opponent. Is always being about theshadowbrokers vs theequationgroup,” the message declares.

The Shadow Brokers jeer at various governments and “bullshit security companies” that did not bother to place bids when they attempted to sell the stolen hacking tools in an online auction. The auction was canceled when no one submitted a bid equal to the high price the thieves demanded. The Shadow Brokers portray themselves as insulted by the lack of bids, releasing the EternalBlue worm tools that were later incorporated into the WannaCry ransomware virus to prove their claims of holding “75% of U.S. cyber arsenal” are serious.

Speaking of WannaCry, the Shadow Brokers say they were “eating popcorn” and watching the spread of the virus with great amusement. They also enjoyed the firing of FBI Director James Comey, toward whom they seem to harbor great animosity. The title of their message, in fact, is “OH LORDY! Comey Wanna Cry Edition.”

The hackers imply WannaCry might have been a false-flag operation designed to provoke hostilities between the United States and North Korea, which has been linked to an early version of the ransomware code.

“Is being very strange behavior for crimeware? Killswitch? Crimeware is caring about target country?” they write, referring to the code discovered by a cybersecurity researcher that greatly impeded the spread of WannaCry over the weekend.

The communique is seasoned with contempt for Microsoft, for allowing the vulnerabilities exploited by viruses like WannaCry to exist unpatched for so long, and for users who waited too long to install the patches that would have inoculated them against WannaCry. Conversely, the Shadow Brokers fault the NSA and its Equation Group for waiting so long to tell Microsoft the vulnerabilities existed.

Among the new wares (or “warez” to use the preferred hacker spelling) the Shadow Brokers claim they might soon put on sale are exploits that target vulnerabilities in Windows 10 and tools to hack web browsers, routers, and mobile devices.

Also, they imply they are in possession of “compromised network data” from the Russian, Chinese, Iranian, and North Korean nuclear and missile programs. Since the Shadow Brokers are widely suspected of connections to the Russian government (that is why they mockingly use the broken Russian accent when they write), the threats to sell that nuclear and missile data might be disingenuous.

A final extortion threat is leveled at the end of the message: if the rightful owners of the data and software stolen by the Shadow Brokers pay them an appropriate sum in Bitcoin, the group will “go dark permanently” because it will have “no more financial incentives” to continue its risky operations. C/NET notes that they probably have a very large sum in mind, as the price they demanded at auction for the NSA software was about $580 million in Bitcoin.

It is increasingly clear that the NSA informed Microsoft of the Windows software vulnerabilities it had long kept secret when it realized its powerful hacking tools had been stolen and exposed to the world. This will naturally lead to mounting criticism that neither Microsoft nor the NSA informed the general public about the danger that a virus like WannaCry could unleash. 

Microsoft has been castigated for making a patch to the vulnerability in later versions of Windows available a month ago, without impressing upon users the urgency of downloading and installing that patch immediately. The older, officially obsolete Windows XP, which is still running on a large number of older computers around the world, was not patched until after the scale of the WannaCry infection became clear.

The new threat from the Shadow Brokers could provoke a new crisis at the offices of Microsoft and the National Security Agency: should they credit the Shadow Brokers’ claims and come clean about vulnerabilities that might be exposed by the “dump of the month” program when it begins in June? If they don’t, and another global online pandemic is unleashed, the outrage directed their way will be deafening.

Likewise, Microsoft and other tech firms will be furious at the governments of the United States and other countries if intelligence agencies are still hoarding exploits for their own purposes and putting computer users at risk. The Shadow Brokers could be bluffing, but after the astounding damage inflicted by WannaCry last weekend, tech executives and government officials may be reluctant to call their bluff.


Please let us know if you're having issues with commenting.